On 12 September 2024, the Privacy and Other Legislation Amendment Bill 2024 (Bill) was introduced into the lower house of Federal Parliament. This represents the first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) and other relevant legislation, foreshadowed in the Attorney-General's Privacy Act Review Report of February 2023 and the Government's Response in September 2023, which was covered in our update On the road: Australia's privacy law overhaul begins. This update focusses specifically on the potential exposures for insureds and insurers arising out of the reforms, the cover that may be available under insurance policies and next steps.
Overview of Privacy Act reforms
Some of the key reforms proposed by the Bill are as follows:
- Cause of action in tort for serious invasion of privacy: The Bill introduces a statutory tort for serious invasion of privacy, which will allow individuals (i.e., natural persons, not companies) to sue for serious invasion of privacy. The individual would need to prove an invasion of privacy by intrusion on their seclusion or misuse of information relating to them, a reasonable expectation of privacy in all circumstances, the invasion of privacy must be intentional or reckless (rather than merely negligent), the invasion of privacy is serious and the public interest of protecting the individual's privacy outweighs any countervailing public interest raised by the defendant. Remedies include injunctions, declarations, ordered apologies and compensation. The cause of action does not require harm to be caused, but damages can be awarded for emotional distress, as well as exemplary or punitive damages in limited circumstances. Damages are capped at $478,550.
- Criminal offence of 'doxxing': The Bill introduces two new offences to the Criminal Code Act 1995 (Cth). The first prohibits use of a carriage service to make available, publish or distribute personal data in a way that reasonable persons would regard as being menacing or harassing (punishable by up to 6 years imprisonment). The second prohibits targeting a person or group due to a belief that they are distinguished by their race, religion, sex, sexual orientation, gender identity, intersex status, disability, nationality or national or ethnic origin (punishable by up to 7 years imprisonment).
- Civil penalties: The Bill introduces new civil penalties that are tailored according to the seriousness of the interference with privacy. Seriousness is to be determined by taking into account factors including the sensitivity of the individual's personal information and the consequences of the interference with privacy. A serious interference with privacy of an individual attracts a maximum penalty of $2.5 million for individuals, and for body corporates the maximum penalty will be the greatest of $50 million, 3 times the value of the benefit obtained or 30% of adjusted turnover during the breach turnover period. An interference with an individual's privacy that is not serious attracts a maximum penalty of 2000 penalty units (currently $626,000) for an individual and for body corporates the maximum penalty will be 5 times the amount specified for an individual (currently $3.13 million).
- OAIC powers: The Bill proposes to provide the OAIC with a number of enhanced enforcement mechanisms. The OAIC will be able to issue infringement notices for relatively minor contraventions of the Privacy Act (e.g., non-compliant privacy policy or failure to issue a compliant data breach notice). The penalty payable under such notices will not exceed 200 penalty units (currently $62,600). As to the OAIC's investigative and monitoring powers, the Privacy Act provisions regulating entry and inspection would be replaced and the OAIC permitted to use powers for certain measures under the Regulatory Powers (Standard Provisions) Act 2014 (Cth). The Information Commissioner will also be able to hold public inquiries (contemplated to concern systemic or industry-wide issues) at the direction or approval of the Minister, and as part of this will have powers to require production of documents and information and examine witnesses.
More information on the features of the proposed reform can be found in our update On the road: Australia's privacy law overhaul begins.
What is the potential exposure for insureds and insurers?
The reforms included in the Bill will be relevant to insureds who are (and by extension, insurers who issue policies to) organisations that hold existing responsibilities under the Privacy Act, being:
- Organisations with annual turnover of more than $3 million; and
- Certain organisations with annual turnover of $3 million or less, being a private sector health service provider, a business that sells or purchases personal information, a credit reporting body, a contracted service provider for an Australian Government contract, employee association registered or recognised under the Fair Work (Registered Organisations) Act 2009 (Cth), a business that holds accreditation under the Consumer Data Right System, a business that has opted-in to the Privacy Act, a business related to a business covered by the Privacy Act or a business prescribed by the Privacy Regulation 2013 (Cth).
As will be evident from the above, the reforms create a number of new potential liability exposures for these insureds, including both civil and criminal proceedings which may result in adverse determination or conviction (as applicable). In particular, insureds will need to be mindful not only of the new cause of action in tort for serious invasion of privacy, but the heightened consequences for lesser contraventions of the Privacy Act which now can attract OAIC infringement notices. Insureds must be aware that they may be required to produce documents or information or attend public hearings as a result of the OAIC enhanced enforcement powers. Each of these new potential liability exposures may create financial exposure for insureds, whether in the form of Court-awarded damages or infringement notices, or the costs of involvement in OAIC investigations or public inquiries.
This gives rise to the question as to how the insured's insurance policies may respond to the potential exposure.
What cover may be available under insurance policies?
Of course, whether an insured has cover for exposures arising from the Privacy Act reforms will depend on the particular policy and its wording. We make some general comments as follows:
- A general liability policy may cover damages and defence costs payable as a result of the new tort for serious invasion of privacy, on the basis that such a policy generally covers the insured's liability to pay damages (including claimant's costs) and defence costs for personal injury or advertising liability occurring during the policy period and in connection with the insured's business or products. Whilst the new tort does not require harm be caused, policies may define personal injury as including mental anguish or injury. The definition of personal injury may also expressly include invasion of privacy, however in other policies this constitutes advertising liability – and in that case, cover may only be available where the invasion of privacy is in connection with the insured's advertising activities. A further challenge is that some policies will contain a broad exclusion for wilful or deliberate acts or omissions of the insured or any employee (or in the least, intentional advertising liability) and so there may not be cover where the invasion of privacy was intentional, but possibly cover if the conduct was reckless. These policies will typically not cover any aggravated, exemplary or punitive damages component and will also generally not cover the new civil penalties or contraventions giving rise to OAIC infringement notices or criminal acts.
- A statutory liability policy may cover civil penalties for contraventions of the Privacy Act, infringement notices and participation in investigations or public inquiries undertaken by the OAIC. Generally speaking, such policies provide cover for defence costs, prosecution costs and penalties for various types of statutory liability claims first made during the policy period. Such claims can include notices of investigations, examinations or inquiries in connection with the insured's business, or legal proceedings commenced by a regulatory authority involving statutory breach. Cover may expressly extend to costs to produce documents or for preparation, attendance or representation as a result of an inquiry, as well as public relations expenses associated with a covered claim. However, these policies will generally not afford cover for damages payable in civil proceedings (i.e., damages pursuant to the new tort cause of action) or compensation for damage in consequence of statutory breach, or a part of the penalty that requires the insured to remedy a matter caused by the statutory breach. Further, these policies generally exclude fraudulent, wilful, intentional and dishonest acts and reckless conduct, potentially subject to the wilful conduct being proven by final adjudication.
- A directors and officers liability policy may also provide cover where the claim in tort for serious invasion of privacy is brought against a director, officer or employee of the insured company acting in that capacity (rather than against the insured company itself), as well as for those directors or officers' participation in investigations or public inquiries undertaken by the OAIC, where the claim is made during the policy period. Such a policy may provide cover for damages (including punitive and exemplary damages), compensation orders and defence costs arising from a demand or proceedings commenced against the director or officer due to their wrongful act. There may also be cover for fees, costs and expenses incurred by the director or officer in preparing for or responding to or attending a hearing, examination or investigation by an official body into the affairs of the insured. Additionally, some policies provide cover for costs incurred by directors and officers as part of certain pre-claim inquiries, fines or penalties for claims made against directors and officers and arising specifically in relation to their wrongful acts, the director or officer's public relations expenses and for court attendance. However, many policies contain a broad exclusion for deliberate or dishonest wrongful acts and would therefore exclude cover for intentional invasion of privacy, again potentially subject to the deliberate wrongful act being proven by final adjudication. Such policies will also generally not cover the new civil penalties or contraventions giving rise to OAIC infringement notices, on the basis that these are fines or penalties incurred by the insured company (not arising from a claim made against a director or officer concerning their wrongful acts).
- These policies also generally contain an exclusion for bodily injury or property damage and so may exclude a claim under the new cause of action in tort where the claimant alleges mental injury. However, this will be dependent on the scope of exclusion and causational language used (i.e., some policies broadly exclude claims directly or indirectly attributable to bodily injury whereas others only exclude claims that are directly related).
- A cyber policy may respond to the extent that there is first party cover (i.e., incident response expenses or data/system recovery expenses) or third party cover (i.e., third party demands or regulatory proceedings) by reason of a cyber incident discovered or claim made during the policy period (as applicable), that involves a privacy wrongful act. Depending on the terms of the policy, cover may be given where there is a failure (amongst other things) to handle or manage personal data or violation of privacy regulations. Depending on the policy, there may be cover for damages claimed by the third party, costs of responding to inquiries made by the regulator or defence of a regulatory proceeding and regulatory fines and penalties. Cyber policies generally exclude loss or claims arising out of bodily injury, but there may be a writeback of cover in respect of mental injury arising from a privacy wrongful act. These policies also generally exclude intentional, deliberate, wilful or criminal conduct.
Next steps for insureds and insurers
Insureds and insurers alike should watch closely as the Bill progresses through Parliament. At the time of writing, the Bill has been referred to the Senate Legal and Constitutional Affairs Legislation Committee, which is due to issue a report on 14 November 2024.
In the meantime:
- Insureds who are concerned about potential increased risk exposure in the areas touched on by these reforms should liaise with their insurance broker and legal adviser to determine whether their existing insurance coverage will sufficiently respond to identified risks (including consideration of the appropriateness of cover limits) and may need to consider whether additional insurance products are required; and
- Insurers must also consider whether (and what) cover may be provided to insureds under policy terms they offer, and be ready to anticipate new claims that may arise as a consequence of the reforms. The reforms or increased volume of claims may drive greater underwriting scrutiny of insured's privacy protection measures prior to issuing policies. Insurers with minimal risk appetite for insuring certain types of privacy related claims may consider if wordings need to be changed so that particular types of claims or loss are excluded.
For more information, please contact our team.